Trusted Network Fallback Mechanism
The tnrhdb database can assign a security template to a particular host either
directly or indirectly. Direct assignment assigns a template to a host's IP address.
Indirect assignment is handled by a fallback mechanism. The trusted network software first
looks for an entry that specifically assigns the host's IP address to a
template. If the software does not find a specific entry for the host,
it looks for the “longest prefix of matching bits”. You can indirectly assign
a host to a security template when the IP address of the host
falls within the “longest prefix of matching bits” of an IP address with
a fixed prefix length.
In IPv4, you can make an indirect assignment by subnet. When you
make an indirect assignment by using 4, 3, 2, or 1 trailing zero
(0) octets, the software calculates a prefix length of 0, 8, 16, or
24, respectively. Entries 3 – 6 in Table 18-1 illustrate this fallback mechanism.
You can also set a fixed prefix length by adding a slash
(/) followed by the number of fixed bits. IPv4 network addresses can have
a prefix length between 1 – 32. IPv6 network addresses can have a
prefix length between 1 – 128.
The following table provides fallback address and host address examples. If an address
within the set of fallback addresses is directly assigned, the fallback mechanism is not
used for that address.
Table 18-1 tnrhdb Host Address and Fallback Mechanism Entries
IP Version |
tnrhdb Entry |
Addresses Covered |
|---|
IPv4 |
192.168.118.57:cipso 192.168.118.57/32:cipso |
192.168.118.57 The /32 sets a prefix length of
32 fixed bits. |
192.168.118.128/26:cipso |
From 192.168.118.0 through 192.168.118.63 |
192.168.118.0:cipso 192.168.118.0/24:cipso |
All addresses on 192.168.118. network |
192.168.0.0/24:cipso |
All addresses on 192.168.0.
network. |
192.168.0.0:cipso 192.168.0.0/16:cipso |
All addresses on 192.168. network |
192.0.0.0:cipso 192.0.0.0/8:cipso |
All addresses on 192. network |
192.168.0.0/32:cipso |
Network address 192.168.0.0. Not
a wildcard address. |
192.168.118.0/32:cipso |
Network address 192.168.118.0. Not a wildcard address. |
192.0.0.0/32:cipso |
Network address 192.0.0.0. Not a
wildcard address. |
0.0.0.0/32:cipso |
Host address 0.0.0.0. Not a wildcard address. |
0.0.0.0:cipso |
All addresses on all networks |
IPv6 |
2001\:DB8\:22\:5000\:\:21f7:cipso |
2001:DB8:22:5000::21f7 |
2001\:DB8\:22\:5000\:\:0/52:cipso |
From
2001:DB8:22:5000::0 through 2001:DB8:22:5fff:ffff:ffff:ffff:ffff |
0\:\:0/0:cipso |
All addresses on all networks |
Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. The tnrhdb entry
0.0.0.0/32:admin_low is useful on a system where the literal address, 0.0.0.0, is
used as a source IP address. For example, DHCP clients contact the DHCP
server as 0.0.0.0 before the server provides the clients with an IP address.
To create a tnrhdb entry on a Sun Ray server that serves DHCP
clients, see Example 19-13. Because 0.0.0.0:admin_low is the default wildcard entry, see How to Limit the Hosts That Can Be Contacted on the Trusted Network
for issues to consider before removing or changing this default.
For more information about prefix lengths in IPv4 and IPv6 addresses, see Designing Your CIDR IPv4 Addressing Scheme in System Administration Guide: IP Services
and IPv6 Addressing Overview in System Administration Guide: IP Services.
